Threat Level: green Handler on Duty: Guy Bruneau

SANS ISC: InfoSec Handlers Diary Blog - Wordpress.com Security Breach InfoSec Handlers Diary Blog


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!

Wordpress.com Security Breach

Published: 2011-04-18
Last Updated: 2011-04-18 20:32:00 UTC
by John Bambenek (Version: 1)
7 comment(s)

Wordpress reported mid last week that they suffered a compromise that involved an attacker getting root access to some of their servers.  They haven't released much in the way of specifics of what has happened but indicate that usernames and passwords could have been compromised for those with accounts with the Wordpress site itself (as distinct from people who simply run Wordpress to power blogs on their on systems).  This, once again, brings to the fore the need of using strong passwords for online sites and for using unique passwords for each site.

The bigger issue, however, is with the multiplicity of online sites and social media, the amount of accounts that individuals needs to maintain is vast.  I counted my own list of accounts and just for the non-professional ones, I have 23 or so logins.  Strong passwords help (particularly if they are over 12 characters) but there becomes the problem of remembering them all.  Combine that with the fact most online sites use the "e-mail address" as the username, there is a big problem.

What mitigates this is deployment of decentralized authentication and OpenID is a good example.  At that point, a user can keep a strong password in one place (and even better, use two-factor authentication) that is trusted.  As far as I can tell, Wordpress.com doesn't allow OpenID to register a blog but can be set up if you maintain your own wordpress installation.  The takeaway is, if you run an interactive online website, investigate using OpenID to register & authorize users.  If you get breached, you no longer have a password that can be stolen to assume someone's online identity.

For users, where you can, use OpenID (or similar) schemes that let you maintain your online identity in one place.  Facebook and twitter have similar features if you don't mind giving those companies the ability to data-mine what sites you interact with. Many sites still need you to create an account with a password before you can switch to OpenID.  In that case, create the account, set up OpenID, then change the password to be strong and long and store it somewhere safe (in the off chance you need the actual password some day).  A malicious individual still could "proxy" off an existing session and do bad things if they already compromised your PC, but you would not have to worry about the mass compromises that have hit Wordpress, Gawker and others recently.

--
John Bambenek
bambenek at gmail /dot/ com
Bambenek Consulting

7 comment(s)
Diary Archives